Govern yourself accordingly: How organisations can implement their own GDPR compliance

Govern yourself accordingly:  How organisations can implement their own GDPR compliance

Sponsored by

Canada’s sluggish response to updating its privacy legislation to address the concerns addressed in the General Data Protection Regulation (“GDPR”) may jeopardize the adequacy status from which the country, and by extension companies regulated by the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), benefit. Add to this the prevailing uncertainty regarding whether organisations in British Columbia, Alberta, and Quebec benefit from adequacy status at all since these organisations are regulated by their respective provincial laws which have not received adequacy recognition, it might be a good idea for organisations that process information on European nationals to begin to take GDPR compliance into their own hands.

The following steps provide a brief overview of the measures an organization should take to become GDPR compliant:

  • Appoint a Privacy Officer or, in smaller organisations, a go-to person for data protection.
  • Create a data register in which the organisations’ departments (ie. human resources, marketing, finance, etc.) describe the data they process, the people or institutions within and outside the organisation to whom the data is transferred, retention and destruction procedures and safeguards.
  • Prioritise compliance by ensuring that:

a. only necessary data is being collected;
b. the legal basis for data collection are respected;
c. clear and explicit privacy notices are drafted to inform individuals of how their data will be collected, stored, used, retained, and transferred;
d. suppliers and subcontractors are compliant and have signed agreements testifying to this compliance;
e. either model clauses are in place for documents involving data transfers between Europe and Canada or other accepted measures are being used;
f. data access, amendment, and take-down procedures are in place; and
g. data-breach response procedures are in place

  • Conduct a privacy impact analysis to determine which data is at greatest risk and how to protect it.
  • Establish processes including continuous general and targeted data protection training to ensure data is protected at all times by every member of the organisation.
  • Document compliance (ie. save forms evidencing consent as well as data access / amendment / take-down requests and organisational responses to these)s

These measures are not impossible to implement. They demonstrate the value, however, of making data protection a governance mater so as to reduce exposure in the event local regulatory bodies are slow to respond to global trends.

Recent articles & video

Support orders not automatically spent if ‘child of marriage’ hits age of majority: BC appeal court

BC Supreme Court partially varies will to ensure fair estate distribution

Lyne Raymond appointed to New Brunswick Provincial Court in Fredericton

BC Provincial Court welcomes new judges Parveen Nijjar and Paul Pearson

BC expands early resolution services for family law matters

Ontario Superior Court approves settlement in mortgage renewal class action

Most Read Articles

BC Supreme Court upholds trust company's estate administration amid beneficiary dispute

Alberta Court of Appeal reinstates sanctions on naturopathic doctor for unprofessional conduct

SCC reinforces Crown's narrow scope to appeal acquittal

Roberta Kaplan departs Kaplan Hecker & Fink amid controversy to launch new firm